BTCPay Server v1.7.4 – HTML Injection

Exploit Database
18 阅读

作者： Manojkumar J

日期： 2023-04-05
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/51254/

# Exploit Title: BTCPay Server v1.7.4 - HTML Injection
# Date: 01/26/2023
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Vendor Homepage: https://github.com/btcpayserver/btcpayserver
# Software Link:
https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5
# Version: <=1.7.4
# Tested on: Windows10
# CVE : CVE-2023-0493

# Description:

BTCPay Server v1.7.4 HTML injection vulnerability.

# Steps to exploit:

1. Create an account on the target website.

Register endpoint: https://target-website.com/register#

2. Move on to the API key and create API key with the html injection in the
label field.

Example:

<a href="https://hackerbro.in">clickhere</a>


3. Click remove/delete API key, the html injection will render.

last Exploits
BTCPay Server v1.7.4 – HTML Injection的更多信息

Statamic 4.7.0 – File-Inclusion：
SPBAS Business Automation Software 2012 – Multiple Vulnerabilities：
Simple Food Website 1.0 – Authentication Bypass：
INFOR EAM 11.0 Build 201410 – ‘filtervalue’ SQL Injection：
B-swiss 3 Digital Signage System 3.6.5 – Cross-Site Request Forgery (Add Maintenance Admin)：
vBulletin 5.6.2 – ‘widget_tabbedContainer_tab_panel’ Remote Code Execution：
Gadget Works Online Ordering System 1.0 – ‘Category’ Persistent Cross-Site Scripting (XSS)：
B2B Portal Script – Blind SQL Injection：